BEST AVAILABLE COPY 
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Ref 
# 


Hits 


Search Query 


DBs 


Default 
Operator 


Plurals 


Time Stamp 


S18 


162 


(SAK SAS security adj (attention 

\\\<z\\\\J\y ) ) odiiic ^duii id lUCdlZp D) 


US-PGPUB; 

I ICDAT 
UOrn I 


OR 


OFF 


2006/04/03 15:53 


S19 


6 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
same (SAK SAS security adj 
(attention memory)) same 

^dUUlci lUudUfO ) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 15:57 


S20 


261 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 

nrnr*Pccfsc*t 1 ^ camo fai ifhonH/^f^t^A 
\J\ ULCjOCDf X) DO 1 IIC ^dUUlCl IUUdl«f> O) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 17:38 


S21 


71 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 
processes$l) near7 (authenticat$3) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 16:21 


S22 


748 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 
processes$l) and "7267$.ccls. not 
S21 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 16:23 


S23 


1 


((halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 
processes$l)) near20 authenticat$ 
and "7267$-ccls. not S21 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 16:24 


S24 


33 


((halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 
processes$l)) same authenticat$ 
anu / ZD /^>.cci5. not ozi 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 17:38 


S25 


13 


((halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 
processes$l)) near25 authenticat$ 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/03 16:29 


S26 


57173 


((halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
nearS (program$l task$l 
application$l routine$l 
processes$l)) not I8near25 
authenticat$ 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/03 16:29 
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S27 


6 


((halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near5 (program$l task$l 
application$l routine$l 
processes$l)) near25 authenticat$ 
not S25 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/03 16:29 


S28 


19 


((halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near5 (program$l task$l 
application$l routine$l 
processes$l)) same authenticat$ 

ana //D /qi.CCIS. not 1 oZHJ 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 16:30 


S29 


71 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near 3 (program$l task$l 
application$l routine$l 
processes^i; near/ (autnenticat$j; 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 15:53 


S30 


208 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 suspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine$l processes$l) same 
^auineriLicai^) o jnoi ozy 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 20:12 


S31 


90 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 suspends interrupt$3; near3 
(program$l task$l application$l 
routine$l processes$l) nearlS 
(password)not S29 


US-PGPUB; 

1 ICT\ AT" 

USPAT 


OR 


OFF 


2006/04/03 17:39 


S32 


88 


S31 not (S30 S29) 


US-PGPUB; 

1 ICDAX 


OR 


OFF 


2006/04/03 17:51 


S33 


351 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 suspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine$l processes$l) and 
(autnenticat$ Jj.aD. 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 20:12 


S34 


261 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 
processes? l j same (autnenticat$j; 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 20:13 


S35 


71 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
near3 (program$l task$l 
application$l routine$l 
processes? i j near/ ^autnenticatifo; 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 20:13 


S36 


208 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 suspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine$l processes$l) same 
(authenticat$3)not S35 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 20:13 
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S37 


90 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 suspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine$l processes$l) nearl5 
(password)not S35 


US-PGPUB; 

USPAT 


OR 


OFF 


2006/04/05 16:30 


S38 


228 


S33 not (S34 S35 S37 S36 n s88") 


US-PGPUB; 

1 ICDAT 


OR 


OFF 


2006/04/03 20:13 


S39 


57 


(halt$ stop$3 ceas$3 paus$3 
suspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine? i processes? ij neariD 
(password)not S35 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/03 20:13 


S40 


0 


(sav$3 near4 state)near5 
(program$l task$l application$l 
rou Lineal processesipjj same 
(interrupt and authenticat$3) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 15:54 


CA 1 

b41 


1 A 

14 


( state jnearb (program? l tasK$i 
application$l routine$l 
processes$l) same (interrupt and 
authenticat$3) 


Ub-KbrUB; 
USPAT 


UK 


Urr 


•cUUo/U4/Ub lb: bo 


S42 


1 


"5652890".pn. and inter$ 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 16:23 


S43 


0 


"5652890".pn. and authent$5 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 16:27 


S45 


12 


(halt$ paus$ stop$ frozen freez$ 
imped$ delay$)and "5652890" 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 16:28 


S46 


1 


(halt$ paus$ stop$ frozen freez$ 
impea$ oetay^j ana DbDZoyu .pn. 


US-PGPUB; 

1 ICDAT 


OR 


OFF 


2006/04/05 16:29 


S47 


8 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 suspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine$l processes$l) nearlS 
(secure aaj moaej 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 16:31 


S48 


1 


(halt$ disabl$4 stop$3 ceas$3 
paus$3 suspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine$l processes$l) nearlS 
(secure adj mode) 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/05 16:38 


S49 


1 


"20020066039" and screen$ 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/05 16:38 


S50 


1 


"20020066039" and screen$ and 
authenticat$ 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/05 19:15 


S51 


0 


(curtain atomic) near4 
authenticat$3 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/05 19: 16 


S52 


0 


(curtain atomic) near4 
authenticat$4 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/05 19:16 
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S53 


5 


(curtain atomic) same authenticat$4 


EPO; JPO; 
DERWENT 


OR 


OFF 


2006/04/05 19:17 


S54 


20 


(curtain atomic adj transaction$l) 
same authenticat$4 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:17 


S55 


31 


(curtain$ atomic adj transaction$l) 
same authenticat$4 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:21 


S56 


13 


(curtain$ atomic adj transaction$l) 
same authenticat$4 and ((halt$ 
disabl$4 stop$3 ceas$3 paus$3 
susspen$5 interrupt$3) near3 (code 
program$l task$l application$l 
routine$l processes$l)) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:22 


S57 


8 


(curtain$ atomic adj transaction$l) 
same authenticat$4 and ((halt$ 
disabl$4 stop$3 ceas$3 paus$3 
susspen$5 interrupt$3) near3 
(program$l task$l application$l 
routine$l processes$l)) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:23 


S58 


0 


(curtain$ atomic adj transaction$l) 
same authenticat$4 and ((halt$ 
disabl$4 stop$3 ceas$3 paus$3 
susspen$5 ) near3 (program$l 
task$l application$l routine$l 
processes^ i ) ) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:22 


S59 


63289 


((halt$ disabl$4 stop$3 ceas$3 
paus$3 susspen$5 interrupt$3) 
nearj ^program^i tasK$i 
application$l routine$l 
processes$l)) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:24 


S60 


4905 


((halt$ paus$3 susspen$5) near3 
(program$l task$l routine$l 
processes? l j ) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:24 


S61 


557 


((halt$ paus$3 susspen$5) near 3 
(program$l task$l routine$l 
processes$l)) same ((restart$3 
start$3 restat$3)near3 (program$l 
task$l routine$l processes$l)) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:25 


S62 


3 


((halt$ paus$3 susspen$5) near3 
(program$l task$l routine$l 
processes$l)) same ((restart$3 
start$3 restat$3)near3 (program$l 
task$l routine$l processes$l)) 
same secur$3 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:27 


S63 


22 


((halt$ paus$3 susspen$5) near3 
(program$l task$l routine$l 
processes$l)) same ((restart$3 
start$3 restat$3)near3 (program$l 
task$l routine$l processes$l)) and 
((secur$3).ab. secur$3.ti.) 


US-PGPUB; 
USPAT 


OR 


OFF 


2006/04/05 19:27 
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S64 


22 


((halt$ pa us$3 susspen$5) near3 


US-PGPUB; 


OR 


OFF 


2006/04/05 19:29 






(program$l task$l routine$l 


USPAT 












processes$l)) same ((restart$3 














start$3 restat$3)near3 (program$l 














task$l routine$l processes$l)) and 














((secur$3).ab. secur$3.ti.) not S62 
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File 348: EUROPEAN PATENTS 1978-2006/ 200613 

(c) 2006 European Patent Office 
File 349:PCT FULLTEXT 1979-2006/UB=20060330,UT=20060323 

(c) 2006 wiPO/Univentio 

Set Items Description 

51 2769447 PROGRAM? ? OR APPLICATION? ? OR MODULE? ? OR ROUTINE? ? OR 

PROCESSES OR THREAD? ? OR TASK? ? 

52 566048 RUN OR RUNNING OR EXECUT??? 

53 340172 MEMORY OR RAM 

54 29121 S1(7N)S2:S3(7N) (SUSPEND??? OR SUSPENSION OR DEFER??? OR DE- 

FERMENT OR DELAY??? OR INHIBIT? OR HALT??? OR PREVENT??? OR D- 
ISABL? OR HINDER??? OR STOP???? OR BLOCK??? OR RESTRICT??? OR 
IMPED??? OR FREEZ??? OR FROZEN OR PAUS??? OR INTERRUPT?) 

55 236175 PIN OR PERSONAL ()IDENTIFICATI0N() NUMBER? ? OR PASSWORD? ? - 

OR PASSCODE? ? OR PASSPHRASE? ? OR (PASS OR SECRET) () (WORD? ? 
OR CODE? ? OR PHRASE? ?) OR CREDENTIAL? ? OR AUTHENTICAT? 

56 79650 S5(7N) (ENTER??? OR ENTRY OR INPUT??? OR SUBMIT? OR TYPE? ? 

OR TYPING OR PROVID??? OR SUPPLY??? OR SUPPLIES OR SUPPLIED OR 
WRIT??? OR PRESENT???) 



S7 


7684 


S5(7N) (SCREEN? ? OR BOX? ? OR PROMPT???) 


S8 


346 


S4(50N)S6:S7 


S9 


153 


S4(50N)S6:S7(50N)(KEY? ? OR KEYBOARD? ? OR KEYPAD? ? OR CL- 




ICK??? OR PRESS?? OR PRESSING OR BUTTON? ?) 


S10 


77 


S9 AND AC=US/PR AND AY=(1978:2000)/PR 


Sll 


77 


S9 AND AC=US AND AY=1978:2000 


S12 


77 


S9 AND AC=US AND AY= (1978: 2000) /PR 


S13 


76 


S9 AND PY=1978:2000 


S14 


98 


S10:S13 


S15 


98 


ID PAT (sorted in duplicate/non-duplicate order) 



File 347:DAPIO Nov 1976-2005/Nov(Updated 060302) 

(c) 2006 JPO & JAPIO 
File 350:Derwent WPIX 1963-2006/UD,UM &UP=200622 

(c) 2006 Thomson Derwent 

Set Items Description 

51 2025902 PROGRAM? ? OR APPLICATION? ? OR MODULE? ? OR ROUTINE? ? OR 

PROCESSES OR THREAD? ? 

52 883128 RUN OR RUNNING OR EXECUT??? 

53 1044662 MEMORY OR RAM 

54 14932 Sl(7N)S2:S3(7N)(SUSPEND??? OR SUSPENSION OR DEFER??? OR DE- 

FERMENT OR DELAY??? OR INHIBIT? OR HALT??? OR PREVENT??? OR D- 
ISABL? OR HINDER??? OR STOP???? OR BLOCK??? OR RESTRICT??? OR 
IMPED??? OR FREEZ??? OR FROZEN OR PAUS??? OR INTERRUPT?) 

55 414501 PIN OR PERSONAL () IDENTIFICATION () NUMBER? ? OR PASSWORD? ? - 

OR PASSCODE? ? OR PASSPHRASE? ? OR (PASS OR SECRET) () (WORD? ? 
OR CODE? ? OR PHRASE? ?) OR CREDENTIAL? ? OR AUTHENTICAT? 

56 72653 S5(7N) (ENTER??? OR ENTRY OR INPUT??? OR SUBMIT? OR TYPE? ? 

OR TYPING OR PROVID??? OR SUPPLY??? OR SUPPLIES OR SUPPLIED OR 
WRIT??? OR PRESENT???) 



S7 


3588 


S5(7N) (SCREEN? ? OR BOX? ? OR PROMPT???) 


S8 


92 


S4 AND S6:S7 


S9 


13 


S8 AND AC=US/PR AND AY= (1963 : 2000) /PR 


S10 


22 


S8 AND AC=US AND AY=1963 : 2000 


Sll 


22 


S8 AND AC=US AND AY= ( 1963 : 2000) /PR 


S12 


45 


S8 AND PY=1963:2000 


S13 


51 


S9:S12 


S14 


51 


ID PAT (sorted in duplicate/non-duplicate order) 



File 275: Gale Group Computer DB(TM) 1983-2006/Apr 03 

(c) 2006 The Gale Group 
File 621:Gale. Group New Prod . Annou . (R) 1985-2006/Apr 03 

(c) 2006 The Gale Group 
File 636:Gale Group Newsletter DB(TM) 1987-2006/Apr 03 

(c) 2006 The Gale Group 
File 16: Gale Group promt(r) 1990-2006/Apr 04 

(c) 2006 The Gale Group 
File 160: Gale Group PROMT(R) 1972-1989 

(c) 1999 The Gale Group 
File 148: Gale Group Trade & Industry DB 1976-2006/Apr 03 

(c)2006 The Gale Group 
File 624: McGraw-Hill Publications 1985-2006/Apr 03 

(c) 2006 McGraw-Hill Co. Inc 
File 15:ABl/lnform(R) 1971-2006/Apr 03 

(c) 2006 ProQuest info&Learni ng 
File 647 : CMP Computer Full text 1988-2006/Apr W4 

(c) 2006 CMP Media, LLC 
File 674: Computer News Full text 1989-2006/Mar W4 

(c) 2006 IDG Communications 
File 696: DIALOG Telecom. Newsletters 1995-2006/Apr 03 . 

(c) 2006 Dialog 
File 369: New Scientist 1994-2006/Aug w4 

(c) 2006 Reed Business information Ltd. 

Set items Description 

51 10849027 PROGRAM? ? OR APPLICATION? ? 

52 507105 Sl(5N)(RUN OR RUNNING OR EXECUT???) 

53 103488 Sl(7N) (MEMORY OR RAM) 

54 11417 S2:S3(7N) (SUSPEND??? OR SUSPENSION OR DEFER??? OR DEFERMENT 

OR DELAY??? OR INHIBIT? OR HALT??? OR PREVENT??? OR DISABL? - 
OR HINDER??? OR STOP???? OR BLOCK??? OR RESTRICT??? OR IMPED?- 
?? OR FREEZ??? OR FROZEN OR PAUS??? OR INTERRUPT?) 

55 770207 PIN OR PERSONAL()lDENTIFICATION()NUMBER? ? OR PASSWORD? ? - 

OR PASSCODE? ? OR PASSPHRASE? ? OR (PASS OR SECRET) () (WORD? ? 
OR CODE? ? OR PHRASE? ?) OR CREDENTIAL? ? OR AUTHENTICAT? 

56 143061 S5(7N) (ENTER??? OR ENTRY OR INPUT??? OR SUBMIT? OR TYPE? ? 

OR TYPING OR PROVID??? OR SUPPLY??? OR SUPPLIES OR SUPPLIED OR 
WRIT??? OR PRESENT???) 

57 13555 S5(7N) (SCREEN? ? OR BOX? ? OR PROMPT???) 

58 73 S4(50N)S6:S7 

59 49 RD (unique items) 

510 39 S9 NOT PY=2001:2006 

511 8960930 RUN OR RUNNING OR EXECUT??? 

512 1066114 MEMORY OR RAM 

513 23151 S1(7N)S11:S12(7N) (SUSPEND??? OR SUSPENSION OR DEFER??? OR - 

DEFERMENT OR DELAY??? OR INHIBIT? OR HALT??? OR PREVENT??? OR 
DISABL? OR HINDER??? OR STOP???? OR BLOCK??? OR RESTRICT??? OR 
IMPED??? OR FREEZ??? OR FROZEN OR PAUS??? OR INTERRUPT?) 

514 138 S13(50N)S6:S7 

515 97 RD (unique items) 

516 42 S15 NOT (S10 OR PY=2001: 2006) 

517 2248410 MODULE? ? OR ROUTINE? ? OR PROCESSES OR THREAD? ? 

518 5115 S17(7N)S11:S12(7N) (SUSPEND??? OR SUSPENSION OR DEFER??? OR 

DEFERMENT OR DELAY??? OR INHIBIT? OR HALT??? OR PREVENT??? OR 
DISABL? OR HINDER??? OR STOP???? OR BLOCK??? OR RESTRICT??? OR 
IMPED??? OR FREEZ??? OR FROZEN OR PAUS??? OR INTERRUPT?) 

519 15 S18(50N)S6:S7 

520 11 RD (unique items) 
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Windows NT Server 4 Security Handbook 
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All rights reserved. Printed in the United States of America. No part 
of this book may be used or reproduced in any form or by any 
means, or stored in a database or retrieval system, without prior 
written permission of the publisher except in the case of brief quota- 
tions embodied in critical articles and reviews. Making copies of 
any part of this book for any purpose other than your own personal 
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Learning the Architectural Changes in Windows NT 4.0 



The User Mode Security Components The User mode layer of the Windows NT 
operating system contains several components that work together to form the security 
subsystem. The security subsystem is comprised of the following components: 

■ Log-on processes These are the user mode processes that are used to authenticate 
users when they log on to the computer system. The log-on process is used to 
authenticate both local users and remote users. 

■ Local Security Authority This component is used in conjunction with the log-on 
process to verify that an individual has a legitimate user account on the system. This 
account status must be verified before access to the system is permitted. The Local 
Server Authority is the main component in the user mode portion of the security 
subsystem. Notice its user mode portion— there is one component of the security 
subsystem that is not a user mode component— the Security Reference Monitor. 
Well explain more about that later in the chapter when we discuss the log-on and 
authentication process. The Local Security Authority is responsible for all interactive 
log-on activities and is the component that generates system access tokens (SATs). 
It also is responsible for the audit control policy and the logging of audit messages 
generated by the Security Reference Monitor. 

B Security Account Manager (SAM) This User mode component is responsible for 
maintaining the user accounts database that is used by the Local Security Authority 
to validate an individual's account during the log-on process. 

These components combined with the Security Reference Monitor form the Windows NT 
Security Subsystem. This subsystem is not called an environmental subsystem, because it 
spans both the User mode and the Kernel mode. For this reason, it is called an integral 
subsystem. You learn more about how the Security Subsystem works later in the chapter 
when you see the log-on process and other object access issues. 

Now, lef s look at some of the changes that have been made to the operating system's 
architecture in Windows NT 4.0. 

Learning the Architectural Changes in 
Windows NT 4.0 

Windows NT 4.0 system architecture is based 6n the same architecture used with version 
3.5 x, but with some modifications to both the Windows NT Executive and the Win32 
subsystem. These modifications were made to improve system performance and still 
maintain the same degree of system integrity. (See Figure 3.4.) 
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< 

for- device (video or printer) without knowing anything about the device. Consider this 

ernel component to be the translator, taking the information from an application and then 

translating it into a language that the device drivers can understand. 

! , ■ Graphics Device Drivers These are a set of DLLs that contain functions that allow 

the GDI to access the physical output devices. The most common output devices are 
monitors and printers. Device drivers take the translated information from the GDI 
and instruct the physical device to perform some type of action based on the 
translated information (or instructions). The use of drivers allows very specific 
device information to be implemented as separate and independent modules that 
can all hook into a common set of instructions. Some of these drivers are considered 
to be high-level drivers, others are considered to be the low-level drivers. The 
difference is the low-level drivers actually control hardware operation while high- 
level device drivers break the GDI calls into smaller pieces that the low-level drivers 
can understand. 
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Now that you Ve seen the individual components that comprise both the User mode and 
Kernel mode layers of the Windows NT operating system architecture, you can look at 
the various security processes that use these components. 



Windows NT Security System Operation 

User mode and Kernel mode layer components perform many of the internal system 
operations in Windows NT Let's begin with a quick review of the components that make 
up the security subsystem. Here's a list of the components and their functions: 

■ Log-on processes These are the user mode processes that are used to authenticate 
users when they log on to the computer system. 



relay i ■ Local Security Authority This component is used in conjunction with the log-on 



on 



j process to verify that an individual has a legitimate user account on the system. This 

in- : account status must be verified before access to the system is permitted. The Local 

he r Server Authority is the main component in the user mode portion of the security 

subsystem. The Local Security Authority is responsible for all interactive log-on 
activities and is the component that generates system access tokens (SATs) . It is 
: also responsible for the audit control policy and the logging of audit messages 

; generated by the Security Reference Monitor. 

vice. ' m Security Account Manager (SAM) Now called the directory services database, this 

1 User mode component is responsible for maintaining the user accounts database 

splay . that is used by the Local Security Authority to validate an individual's account 

during the log-on process. 
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The log-on process begins when a user presses the Ctrl+Alt+Del keys. This sequence of 
keystrokes is called the secure attention sequence, and it will always display the Windows 
NT operating system log-on screen. The intention here is to prevent the capture of a 
user's account name and password by a program that is imitating the Windows NT log-on 
screen (called a Trojan Horse program). This key sequence generates low-level function 
calls within the Windows NT operating system that can't be duplicated by application 
programs. However, it is possible to capture the Ctrl+Alt+Del keystrokes under DOS and 
redirect them. Therefore, if s possible that a DOS-based program running from a MS- 
DOS boot disk could simulate the Windows NT log-on screen and simply report some 
type of error while capturing the user's name and password. Again, the best prevention 
against this scenario is to always maintain tight physical security. 

At this time the user must type in his or her account name and password in an interactive 
process that ultimately grants or denies access to the system. The user name and pass- 
word gathered by the log-on process is then passed to the Local Security Authority that 
calls an authentication package. 

The authentication package that is used may be custom written if necessary and does not 
necessarily have to have the authentication package that comes with Windows NT. This 
enables vendors to write custom packages that enable a user to log on to multiple systems 
at once, or use some sort of hardware-based device to authenticate users. Examples 
would be magnetic identification card scanners, voice recognition scanners, or even 
mechanical key devices. 

The authentication package checks the account name and password against the names 
and passwords listed in the user accounts database. If a match is found the account is 
validated, the SAM returns the user's SID, and the security IDs of any groups the user 
belongs to. A log-on session is created by the authentication package. This log-on session 
along with all the SIDs are then passed back to the Local Security Authority. 

At this time the SAT is created by the Local Security Authority. This token contains the 
SIDs of the user and any groups the user belongs to. In addition to the SIDs themselves, 
the SAT contains user rights information specific to each SID. 

The token is then returned to the log-on process where it is attached to a process created 
by the Win32 subsystem on behalf of the user. This process, with its attached SAT, is 
called a subject for the user account. At this time the Win32 subsystem starts the desktop 
for an interactive user session. 

If the authentication package cannot verify the user's account in the local accounts data- 
base, the information is forwarded to an alternative authentication package if one exists 
on the network. If the account validation fails, an error message is returned to the user 
notifying him or her that an incorrect account name or password has been entered. The 
user may then attempt to log on again. 
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